The US indictment of three suspected cyber criminals in connection with the largest haul of names and email addresses to date, has prompted a call for zero tolerance for cyber intrusions.
Two Vietnamese citizens living in the Netherlands, Quoc Nguyen and Giang Hoang Vu,were charged with hacking into at least eight US email service providers from February 2009 to June 2012, including Epsilon in 2011.
Millions of names and email addresses were stolen from Epsilon, which handles email marketing campaigns for 2,500 companies, including Marks & Spencer and the Ritz-Carlton, which were among more than 40 companies affected by the breach.
Epsilon confirmed it was among the victims in the case and thanked the US authorities for “bringing this criminal activity to prosecution,” in a statement to security blogger Brian Krebs.
Acting US Attorney John Horn said the scope of the intrusion is unnerving because the hackers did not stop at stealing marketing data and more than a billion email addresses, but also hijacked the email companies’ systems to send bulk spam emails.
Read more about cyber crime
- Businesses should tackle cyber crime by seeking to reduce risk, according to global digital risk and investigations firm Stroz Friedberg.
- Halting cyber crime could have a positive impact on the global economy, according to Intel Security Europe security researcher and CTO Raj Samani.
- Business needs to take cyber crime very seriously, says Europol’s European Cybercrime Centre.
Growing problem for law and business
The hackers then made two million dollars from the email traffic directed to specific websites, according to a statement published by the US department of justice.
Canadian citizen David-Manuel Santos Da Silva of Montreal was charged with conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the spam and launder the proceeds.
FBI agent J. Britt Johnson said large-scale and sophisticated international cyber hacking rings are becoming more problematic for both the law enforcement community and US businesses.
He said the federal indictments, apprehensions and extraditions in this case represents several years of work as the FBI and its cyber-trained agents and technical experts acted quickly to stop the ongoing damage to the numerous victim companies as a result of the individuals’ hacking activities.
FBI's Netherlands operation
In August 2012, the FBI – with the assistance of its legal attachés stationed abroad and in conjunction with Dutch law enforcement officials – executed a search warrant in the Netherlands that disrupted continued compromises of those companies.
Vu was arrested in Netherlands in 2012 and extradited to the US in March 2014. On 3 February 2015, he pleaded guilty to conspiracy to commit computer fraud. He is scheduled to be sentenced on 21 April 2015.
Da Silva was arrested on 12 February 2015 and is scheduled to be arraigned on 14 March 2015 in Atlanta. Nguyen is still at large, according to The Toronto Star.
“This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States,” said assistant attorney General Caldwell.
Resources for small data breaches
But Amichai Shulman, chief technology officer of security firm Imperva, said that, while this case showed that law enforcement agencies are able to point out specific individuals involved in specific acts of cyber crime, it also raises the question of why it takes a massive data breach to blow up in public for that to happen.
“My personal belief is that, if enough resources are put up against small breaches as well as large breaches in what symbolises a zero tolerance policy against cyber violation, we’d see the number of attacks decrease significantly over a short period of time,” he said.
Mark James, security specialist at security firm Eset, said he hoped the case will turn out a success and will lead to many more successful cases showing that the fight against cyber crime is not always a losing battle.
UK police arrest 57
The arrests relate to a range of cyber crimes, including network intrusion and data theft from multinational companies and government agencies, distributed denial of service (DDoS) attacks, cyber-enabled fraud and malware development.
“Criminals need to realise that committing crime online will not make them anonymous to law enforcement,” said Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit (NCCU).
“We are continuously working to track down and apprehend those seeking to utilise computers for criminal ends, and to disrupt the technical networks and infrastructures supporting international cyber crime.”